Examples

First, we'll use a parse statement such as the following to get the User from the log message, which will return a field called user_email with a value of jsmith@demo.com:

parse "User=*:" as user_email

Now that we have this field, we want to additionally parse out just the name and domain from the email address. We can do this by adding the additional syntax of field=<field_name>to a follow-up parse operation:

The field=<field_name>syntax is not just limited to fields that have been specifically parsed from the logs. This syntax can also be used to parse the predefined metadata fields such as _collector, _source, _sourceName, etc. For example, if we have a long list of Collectors all with the same naming format of HostName_10.10.10.1 we can parse this metadata field value to just get the IP address.

Recommended articles

Sumo Logic is the industry’s leading secure, cloud-native, machine data analytics service, delivering real-time, continuous intelligence across the entire application lifecycle and stack. More than 1,000 customers around the globe rely on Sumo Logic for the analytics and insights to build, run and secure their modern applications and cloud infrastructures.